Secure and accurate provisioning system and method

ABSTRACT

A method and system for provisioning credentials is disclosed. The method includes receiving an encrypted data packet including a first passcode and credentials in encrypted form, and a second passcode. The second passcode is compared to a first passcode. If the passcodes match, then a server computer can transmit a token associated with the credentials to a service provider computer.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application is a non-provisional application of and claims thebenefit of the filing date of U.S. Provisional Application No.62/557,315, filed on Sep. 12, 2017, which is herein incorporated byreference in its entirety.

BACKGROUND

Systems have been created to authenticate a user in order to initiateprovision credentials to a service provider application on a mobiledevice operated by the user. In some cases, many entities can beinvolved in this process. Such entities may include a processingcomputer, an authorizing entity computer, a service provider computer,and a user device.

A problem that exists with respect to existing provisioning methods isthat it is difficult to ensure that the same person that isauthenticated when the provisioning is initiated, is the same personthat is operating the mobile device that is receiving the access datathat is being provisioned. Another problem that exists with respect toexisting provisioning methods is that there are many messagetransmissions. Increasing the number of messages that are transmittedbetween entities increases the likelihood of man-in-the-middle attacks,and also consumes a significant amount of computing resources in acomputer network.

Embodiments of the invention address these and other problemsindividually and collectively.

SUMMARY

One embodiment of the invention includes receiving, by a serviceprovider computer, an encrypted data packet comprising credentials and afirst passcode; receiving, by the service provider computer, a secondpasscode from a user device; transmitting, by the service providercomputer, the second passcode and the encrypted data packet to aprocessing computer, to cause the processing computer to decrypt theencrypted data packet to obtain the credentials and the first passcode,compare the first passcode to the second passcode, and provide to theservice provider computer access data when the first and secondpasscodes match; and receiving, by the service provider computer fromthe processing computer, the access data associated with thecredentials.

Another embodiment of the invention includes a service provider computercomprising: a processor; and a computer readable medium, coupled to theprocessor, the computer readable medium comprising code, executable bythe processor to implement a method comprising: receiving an encrypteddata packet comprising credentials and a first passcode; receiving asecond passcode from a user device; transmitting, by the serviceprovider computer, the second passcode and the encrypted data packet toa processing computer, to cause the processing computer to decrypt theencrypted data packet to obtain the credentials and the first passcode,compare the first passcode to the second passcode, and provide to theservice provider computer access data when the first and secondpasscodes match; and receiving, by the service provider computer fromthe processing computer, the access data associated with the credentials

Another embodiment of the invention is directed to a method comprising:receiving, by the processing computer, from a service provider computer,an encrypted data packet comprising credentials and a first passcode inencrypted form, and a second passcode; decrypting, by the processingcomputer, the encrypted data packet to obtain the credentials and thefirst passcode; comparing, by the processing computer, the firstpasscode to the second passcode; determining, by the processing computerthat the first passcode and the second passcode match; and transmitting,by the processing computer, access data associated with the credentialsto the service provider computer.

Another embodiment of the invention is directed to a processing computercomprising: a processor; and a computer readable medium. The computerreadable medium comprises code, executable by the processor forimplementing a method comprising: receiving, from a service providercomputer, an encrypted data packet comprising credentials and a firstpasscode in encrypted form, and a second passcode; decrypting, theencrypted data packet to obtain the credentials and the first passcode;comparing the first passcode to the second passcode; determining thatthe first passcode and the second passcode match; and transmittingaccess data associated with the credentials to the service providercomputer.

Further details regarding embodiments of the invention can be found inthe Detailed Description and the Figures.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a block diagram of a system according to an embodiment.

FIG. 2 shows a block diagram of user device according to an embodiment.

FIG. 3 shows a block diagram of a service provider computer according toan embodiment.

FIG. 4 shows a block diagram of a processing computer according to anembodiment.

FIG. 5 shows a flow diagram depicting a provisioning method according toan embodiment.

FIG. 6 shows a flow diagram depicting a provisioning method according toanother an embodiment. The embodiment in FIG. 6 includes the use ofmultiple encrypted data packets.

FIGS. 7A-7C show examples user device displays.

FIG. 8 shows a block diagram illustrating a building access system.

FIG. 9 shows a block diagram illustrating a payment processing system.

DETAILED DESCRIPTION

Prior to discussing embodiments of the invention, some terms can bedescribed in further detail.

A “user device” may be any suitable device that can interact with a userdevice (e.g., a payment card or mobile phone). User devices may be inany suitable form. Some examples of user devices include cellularphones, PDAs, personal computers (PCs), tablet computers, and the like.In some embodiments, where a user device is a mobile device, the mobiledevice may include a display, a memory, a processor, a computer-readablemedium, and any other suitable component.

A “mobile device” (sometimes referred to as a mobile communicationdevice) may comprise any suitable electronic device that may betransported and operated by a user, which may also provide remotecommunication capabilities to a network. A mobile communication devicemay communicate using a mobile phone (wireless) network, wireless datanetwork (e.g. 3G, 4G or similar networks), Wi-Fi, Bluetooth, BluetoothLow Energy (BLE), Wi-Max, or any other communication medium that mayprovide access to a network such as the Internet or a private network.Examples of mobile devices include mobile phones (e.g. cellular phones),PDAs, tablet computers, net books, laptop computers, wearable devices(e.g., watches), vehicles such as automobiles and motorcycles, personalmusic players, hand-held specialized readers, etc. A mobile device maycomprise any suitable hardware and software for performing suchfunctions, and may also include multiple devices or components (e.g.when a device has remote access to a network by tethering to anotherdevice—i.e. using the other device as a modem—both devices takentogether may be considered a single mobile device).

A “resource provider” can be any suitable entity that provides resources(e.g., goods, services, access to secure data, access to locations, orthe like) during a transaction. For example, a resource providing entitycan be a merchant, a venue operator, a building owner, a governmentalentity, etc. A “merchant” may typically be an entity that engages intransactions and can sell goods or services, or provide access to goodsor services.

An “application” may be a computer program that is used for a specificpurpose.

“Authentication data” may include any data suitable for authenticating auser or mobile device. Authentication data may be obtained from a useror a device that is operated by the user. Examples of authenticationdata obtained from a user may include PINs (personal identificationnumbers), biometric data, passwords, etc. Examples of authenticationdata that may be obtained from a device may be include device serialnumbers, hardware secure element identifiers, device fingerprints, phonenumbers, IMEI numbers, etc.

“Access data” may include any suitable data that can be used to access aresource or create data that can access a resource. In some embodiments,access data may be account information for a payment account. Accountinformation may include a PAN (primary account number), payment token,expiration date, verification values (e.g., CVV, CVV2, dCVV, dCVV2),etc. In other embodiments, access data may be data that can be used toactivate account data. For example, in some cases, account informationmay be stored on a mobile device, but may not be activated untilspecific information is received by the mobile device. In otherembodiments, access data could include data that can be used to access alocation. Such access data may be ticket information for an event, datato access a building, transit ticket information, etc. In yet otherembodiments, access data may include data used to obtain access tosensitive data. Examples of access data may include codes or other datathat are needed by a server computer to grant access to the sensitivedata.

An “access request” may include a request for access to a resource. Theresource may be a physical resource (e.g., good), digital resources(e.g., electronic document, electronic data, etc.), or services. In somecases, an access request may be submitted by transmission of an accessrequest message that includes access request data. Typically a deviceassociated with a requestor may transmit the access request message to adevice associated with a resource provider.

“Access request data” may include any information surrounding or relatedto an access request. Access request data may include access data.Access request data may include information useful for processing and/orverifying the access request. For example, access request data mayinclude details associated with entities (e.g., resource providercomputer, processor server computer, authorization computer, etc.)involved in processing the access request, such as entity identifiers(e.g., name, etc.), location information associated with the entities,and information indicating the type of entity (e.g., category code).Exemplary access request data may include information indicating anaccess request amount, an access request location, resources received(e.g., products, documents, etc.), information about the resourcesreceived (e.g., size, amount, type, etc.), resource providing entitydata (e.g., resource provider data, document owner data, etc.), userdata, date and time of an access request, a method utilized forconducting the access request (e.g., contact, contactless, etc.), andother relevant information. Access request data may also be known asaccess request information, transaction data, transaction information,or the like.

An “access device” may be any suitable device for providing access to anexternal computer system. An access device may be in any suitable form.Some examples of access devices include point of sale (POS) devices,cellular phones, PDAs, personal computers (PCs), tablet PCs, hand-heldspecialized readers, set-top boxes, electronic cash registers (ECRs),automated teller machines (ATMs), virtual cash registers (VCRs), kiosks,security systems, access systems, Websites, and the like. An accessdevice may use any suitable contact or contactless mode of operation tosend or receive data from, or associated with, a mobile device. In someembodiments, where an access device may comprise a POS terminal, anysuitable POS terminal may be used and may include a reader, a processor,and a computer-readable medium. A reader may include any suitablecontact or contactless mode of operation. For example, exemplary cardreaders can include radio frequency (RF) antennas, optical scanners, barcode readers, or magnetic stripe readers to interact with a mobiledevice.

An “electronic wallet” or “digital wallet” can include an electronicdevice that allows an individual to conduct electronic commercetransactions. A digital wallet may store user profile information,credentials, bank account information, one or more digital walletidentifiers and/or the like and can be used in a variety oftransactions, such as, but not limited to, eCommerce transactions,social network transactions, money transfer/personal paymenttransactions, mobile commerce transactions, proximity paymenttransactions, gaming transactions, etc. A digital wallet may be designedto streamline the purchase and payment process. A digital wallet mayallow the user to load one or more payment cards onto the digital walletso as to make a payment without having to enter an account number orpresent a physical card.

A “credential” may be any suitable information that serves as reliableevidence of worth, ownership, identity, or authority. A credential maybe a string of numbers, letters, or any other suitable characters, aswell as any object or document that can serve as confirmation. Examplesof credentials include value credentials, identification cards,certified documents, access cards, passcodes and other logininformation, etc. Other examples of credentials include PANs (primaryaccount numbers), PII (personal identifiable information) such as name,address, and phone number, and the like.

An “authorizing entity” may be an entity that authorizes a request,typically using an authorizing computer to do so. An authorizing entitymay be an issuer, a governmental agency, a document repository, anaccess administrator, etc. An “issuer” may typically include a businessentity (e.g., a bank) that maintains an account for a user. An issuermay also issue payment credentials stored on a user device, such as acellular telephone, smart card, tablet, or laptop to the user.

A “service provider” may be an entity that can provide a resource suchas goods, services, information, and/or access typically through aservice provider computer. Examples of a service provider includesmerchants, digital wallets, payment processors, etc.

A “user” may include an individual or a computational device. In someembodiments, a user may be associated with one or more personal accountsand/or mobile devices. In some embodiments, the user may be acardholder, account holder, or consumer.

A “token” may be a substitute value for a credential. A token may be astring of numbers, letters, or any other suitable characters. Examplesof tokens include payment tokens, access tokens, personal identificationtokens, etc.

A “payment token” may include an identifier for a payment account thatis a substitute for an account identifier, such as a primary accountnumber (PAN). For example, a token may include a series of alphanumericcharacters that may be used as a substitute for an original accountidentifier. For example, a token “4900 0000 0000 0001” may be used inplace of a PAN “4147 0900 0000 1234.” In some embodiments, a token maybe “format preserving” and may have a numeric format that conforms tothe account identifiers used in existing transaction processing networks(e.g., ISO 8583 financial transaction message format). In someembodiments, a token may be used in place of a PAN to initiate,authorize, settle or resolve a payment transaction or represent theoriginal credential in other systems where the original credential wouldtypically be provided. In some embodiments, a token value may begenerated such that the recovery of the original PAN or other accountidentifier from the token value may not be computationally derived.Further, in some embodiments, the token format may be configured toallow the entity receiving the token to identify it as a token andrecognize the entity that issued the token.

A “key” may include a piece of information that is used in acryptographic algorithm to transform data into another representation. Acryptographic algorithm can be an encryption algorithm that transformsoriginal data into an alternate representation, or a decryptionalgorithm that transforms encrypted information back to the originaldata. Examples of cryptographic algorithms may include triple dataencryption standard (TDES), data encryption standard (DES), advancedencryption standard (AES), etc.

An “authorization request message” may be an electronic message that issent to a payment processing network and/or an issuer of a payment cardto request authorization for a transaction. An authorization requestmessage according to some embodiments may comply with ISO 8583, which isa standard for systems that exchange electronic transaction informationassociated with a payment made by a user using a payment device orpayment account. The authorization request message may include an issueraccount identifier that may be associated with a payment device orpayment account. An authorization request message may also compriseadditional data elements corresponding to “identification information”including, by way of example only: a service code, a CVV (cardverification value), a dCVV (dynamic card verification value), anexpiration date, etc. An authorization request message may also comprise“transaction information,” such as any information associated with acurrent transaction, such as the transaction amount, merchantidentifier, merchant location, etc., as well as any other informationthat may be utilized in determining whether to identify and/or authorizea transaction.

An “authorization response message” may be an electronic message replyto an authorization request message generated by an issuing financialinstitution or a payment processing network. The authorization responsemessage may include, by way of example only, one or more of thefollowing status indicators: Approval—transaction was approved;Decline—transaction was not approved; or Call Center—response pendingmore information, merchant must call the toll-free authorization phonenumber. The authorization response message may also include anauthorization code, which may be a code that a credit card issuing bankreturns in response to an authorization request message in an electronicmessage (either directly or through the payment processing network) tothe merchant's access device (e.g., POS equipment) that indicatesapproval of the transaction. The code may serve as proof ofauthorization. As noted above, in some embodiments, a payment processingnetwork may generate or forward the authorization response message tothe merchant.

A “server computer” is typically a powerful computer or cluster ofcomputers. For example, the server computer can be a large mainframe, aminicomputer cluster, or a group of servers functioning as a unit. Inone example, the server computer may be a database server coupled to aWeb server.

A “processor” may include any suitable data computation device ordevices. A processor may comprise one or more microprocessors workingtogether to accomplish a desired function. The processor may include CPUcomprises at least one high-speed data processor adequate to executeprogram components for executing user and/or system-generated requests.The CPU may be a microprocessor such as AMD's Athlon, Duron and/orOpteron; IBM and/or Motorola's PowerPC; IBM's and Sony's Cell processor;Intel's Celeron, Itanium, Pentium, Xeon, and/or XScale; and/or the likeprocessor(s).

A “memory” may be any suitable device or devices that can storeelectronic data. A suitable memory may comprise a non-transitorycomputer readable medium that stores instructions that can be executedby a processor to implement a desired method. Examples of memories maycomprise one or more memory chips, disk drives, etc. Such memories mayoperate using any suitable electrical, optical, and/or magnetic mode ofoperation.

FIG. 1 shows a system 100 comprising a number of components according toan embodiment of the invention. The system 100 comprises a user device102 which may be associated with a user 101, an authorizing computer 104that may hold an account of the user 101, a processing computer 106, anda service provider computer 108. The service provider computer 108 mayoperate or be affiliated with a service provider application on the userdevice 102 that is used by the user 101. The service providerapplication can be a digital wallet application or an access applicationsuch as a transit application.

The user device 102, the authorizing computer 104, the processingcomputer 106, and the service provider computer 108 may all be inoperative communication with each other through any suitablecommunication channel or communications network. Suitable communicationsnetworks may be any one and/or the combination of the following: adirect interconnection; the Internet; a Local Area Network (LAN); aMetropolitan Area Network (MAN); an Operating Missions as Nodes on theInternet (OMNI); a secured custom connection; a Wide Area Network (WAN);a wireless network (e.g., employing protocols such as, but not limitedto a Wireless Application Protocol (WAP), I-mode, and/or the like);and/or the like. Messages between the computers, networks, and devicesmay be transmitted using a secure communications protocols such as, butnot limited to, File Transfer Protocol (FTP); HyperText TransferProtocol (HTTP); Secure Hypertext Transfer Protocol (HTTPS), SecureSocket Layer (SSL), ISO (e.g., ISO 8583) and/or the like.

In some embodiments, the user device 102 may include a service providerapplication such as a mobile wallet application, payment application, oraccess application that may be provisioned with access data to enablethe user device 102 to conduct access transactions.

For simplicity of illustration, a certain number of components are shownin FIG. 1. It is understood, however, that embodiments of the inventionmay include more than one of each component. In addition, someembodiments of the invention may include fewer than or greater than allof the components shown in FIG. 1.

The authorizing computer 104 can be a computer that is associated withan authorizing entity (e.g., a bank), a secure data access provider, anentity that can provide access to a location, or the like. Theauthorizing computer 104 may include a processor and a computer readablemedium coupled to the processor, the computer readable medium comprisingcode, executable by the processor for performing the functions describedbelow. The authorizing computer 104 may be configured to transmitmessages and passcodes to the user device 102, transmit messages andencrypted data packets to the service provider computer 108, etc.

The processing computer 106 may be a server computer. The processingcomputer 106 may include a processor and a computer readable mediumcoupled to the processor. The computer readable medium may comprisecode, executable by the processor to perform the functions describedherein. In some embodiments, the server computer may be coupled to adatabase and may include any suitable hardware, software, other logic,or combination of the preceding for decrypting encrypted data packets,decrypting double encrypted data packets, decrypting first encryptedresults, storing key sets, determining if first and second passcodesmatch, etc.

The service provider computer 108 may perform functions that may beembodied by computer code, residing on computer readable media. Theservice provider computer 108 may include a processor and a computerreadable medium coupled to the processor. The computer readable mediumcomprising code, executable by the processor for performing thefunctions described herein. The service provider computer 108 may beconfigured to transmit messages, receive messages, and determine data.Examples of the service provider computers may include applicationserver computers such as electronic wallet servers, digital walletservers, Web servers such as merchant Web servers, processor serverssuch as payment processor servers, etc.

FIG. 2 shows a block diagram of a user device 102 according to anembodiment. In some embodiments, the user device 102 may be a paymentdevice that can be used to make payments or a device which can allow auser to gain access to a location. The exemplary user device 102 maycomprise a computer readable medium 102B and a memory 102C that can bepresent within the body 102J of the user device 102. The body 102J maybe in the form a plastic substrate, housing, or other structure. In somecases, the memory 102C may be a secure element, and/or may also storeinformation such as access data such as tokens, PANs, tickets, etc.Information in the memory 102C may be transmitted by the user device 102to another device using an antenna 102D or contactless element 1021.

The computer readable medium 102B may comprises code, executable by theprocessor for implementing methods according to embodiments. Thecomputer readable medium 102B may contain a service provider application102B-1 and an authorizing computer application 102B-2. The serviceprovider application 102B-1 can allow the user device 102 to communicatewith a service provider computer 108. It can provide functions providedby a service provider. Examples of service provider applications caninclude digital wallet applications, payment applications, merchantapplications, transit applications, applications to access secure data,etc. The authorizing computer application 102B-2 can allow the userdevice 102 to communicate with an authorizing computer 104. It canprovide functions provided by an authorization entity. Examples ofauthorization entities include banks, payment processors, administrativeauthorities, governmental entities, etc.

In some embodiments, the user device 102 may further include acontactless element 1021, which is typically implemented in the form ofa semiconductor chip (or other data storage element) with an associatedwireless transfer (e.g., data transmission) element, such as an antenna.Data or control instructions that are transmitted via a cellular networkmay be applied to the contactless element 1021 by means of a contactlesselement interface (not shown). Contactless element 1021 may be capableof transferring and receiving data using a short range wirelesscommunication capability. Thus, the user device 102 may be capable ofcommunicating and transferring data or control instructions via bothcellular network (or any other suitable wireless network—e.g. theInternet or other data network) and short range communications.

The user device 102 may also include a processor 102A (e.g., amicroprocessor) for processing the functions of the user device 102 anda display 102G to allow a user to view information. The user device 102may further include input elements 102E (e.g., a touchscreen, keyboard,touchpad, sensors such as biometric sensors, etc.), a speaker 102H, anda microphone 102F. The user device 102 may also include an antenna 102Dfor wireless data transfer.

FIG. 3 shows a block diagram of a service provider computer 106according to an embodiment. The service provider computer 106 maycomprise a processor 106A, which may be coupled to a system memory 106Band an external communication interface 106C. A computer readable medium106D may also be operatively coupled to the processor 106A.

Communication interface 106C may be any suitable combination of hardwareand software that enables data to be transferred to and from serviceprovider computer 106. Communication interface 106C may enable theservice provider computer 106 to communicate data to and from anotherdevice (e.g., resource provider computer, authorizing computer, etc.).Some examples of communication interface 106C may include a modem, aphysical network interface (such as an Ethernet card or other NetworkInterface Card (NIC)), a virtual network interface, a communicationsport, a Personal Computer Memory Card International Association (PCMCIA)slot and card, or the like. The wireless protocols enabled bycommunication interface 106C may include Wi-Fi.

Data transferred via communication interface 106C may be in the form ofsignals which may be electrical, electromagnetic, optical, or any othersignal capable of being received by the external communicationsinterface (collectively referred to as “electronic signals” or“electronic messages”). These electronic messages that may comprise dataor instructions may be provided between communication interface 106C andother devices via a communications path or channel. Any suitablecommunication path or channel may be used such as, for instance, a wireor cable, fiber optics, a telephone line, a cellular link, a radiofrequency (RF) link, a WAN or LAN network, the Internet, or any othersuitable medium.

The computer readable medium 106D may comprise a number of softwaremodules including a communication module 106D-1, an applicationinterface module 106D-2, and a host module 106D-3.

The communication module 106D-1 may comprise code that causes theprocessor 106A to generate messages, forward messages, reformatmessages, and/or otherwise communicate with other entities.

The application interface module 106D-2 can contain code, executable bythe processor 106A, to interact with a service provider application on auser device.

The host module 106D-3 may comprise code, executable by the processor106A to generate a host site such as a Web site hosted by a serviceprovider. If a host site is used, the host site could also beprovisioned with access data.

The computer readable medium 106D may comprise code, executable by theprocessor 106A to implement a method comprising: receiving an encrypteddata packet comprising credentials and a first passcode; receiving asecond passcode from a user device; transmitting, by the serviceprovider computer, the second passcode and the encrypted data packet toa processing computer, to cause the processing computer to decrypt theencrypted data packet to obtain the credentials and the first passcode,compare the first passcode to the second passcode, and provide to theservice provider computer access data when the first and secondpasscodes match; and receiving, by the service provider computer fromthe processing computer, the access data associated with the credentials

FIG. 4 shows a block diagram of a processing computer 108 according toan embodiment. The processing computer 108 may comprise a processor108A, which may be coupled to a system memory 108B and an externalcommunication interface 108C. A computer readable medium 108D may alsobe operatively coupled to the processor 108A. A database 108E may alsobe in operative communication with the processor 108A. The database 108Emay contain access data such as tokens and/or account data, as well asmappings between access data, credentials, and/or communication deviceidentifiers such as phone numbers, IP addresses, device identifiers,etc.

The computer readable medium 108D may comprise a number of softwaremodules including a communication module 108D-1, anencryption/decryption module 108D-2, a database update module 108D-3, acode generation module 108D-4, an authorization module 108D-5, avalidation module 108D-6, and a provisioning module 108D-7.

The communication module 108D-1 may comprise code that causes theprocessor 108A to generate messages, forward messages, reformatmessages, and/or otherwise communicate with other entities.

The encryption/decryption module 106D-2 may include any suitableencryption/decryption algorithms to encrypt data in embodiments of theinvention. Suitable data encryption/decryption algorithms may includeDES, triple DES, AES, etc. It may also store encryption keys that can beused with such encryption/decryption algorithms. The encryption module106D-2 may utilize symmetric or asymmetric encryption techniques toencrypt and/or verify data. Cryptographic keys that may be used by theencryption/decryption module 1060-2 may be securely stored in the systemmemory 108B.

The database update module 108D-3 may comprise code that causes theprocessor 108A to update an account database 108E. The database 108E maybe updated with account information, token to credential to deviceinformation mapping, provisioning information, etc.

The code generation module 108D-4 may comprise code that causes theprocessor 108A to generate codes or receive codes. As will be explainedin detail below, codes can be received from an authorizing computer ormay be generated independently from data from the authorization computeror through the use of shared secrets.

The authorization module 108D-5 may comprise code that can cause theprocessor 108A to evaluate authorization request messages fortransactions and determine if the transactions should be authorized. Theauthorization module 108D-5 may also include code for routing ormodifying authorization request and response messages as they passbetween various parties such as issuers and acquirers.

The validation module 1080-6 may include any suitable code forvalidating codes or data. In some embodiments, the validation module108D-6 may validate encrypted data packets received from a serviceprovider computer 108. The validation module 108D-6 may also beprogrammed to compare first and second codes to determine if a match ispresent.

The provisioning module 108D-7 can include code, executable by theprocessor 108A to provision user devices with access data.

In some embodiments, the computer readable medium 108D may comprisecode, executable by the processor to implement a method comprising:receiving, from a service provider computer, an encrypted data packetcomprising credentials and a first passcode in encrypted form, and asecond passcode; decrypting, the encrypted data packet to obtain thecredentials and the first passcode; comparing, the first passcode to thesecond passcode; determining, that the first passcode and the secondpasscode match; and transmitting, access data associated with thecredentials to the service provider computer.

FIG. 5 shows a flow diagram depicting securely provisioning access datato a service provider computer 108 according to an embodiment. Theservice provider computer 108 can then provide the access data to aservice provider application on the user device 102.

At step S108, a user of the user device 102 may wish to access anauthorizing entity application 1026-2 (e.g., a mobile bankingapplication) on the user device 102 to push provision access data toservice provider application 1026-1 (e.g., a digital wallet application)on the user device 102. The user of the user device 102 may supply thenecessary credentials, such as a username and password to access theauthorizing entity application 1026-2.

At step S110, the user 101 may transmit a request message to theauthorizing computer 104, requesting that the service provider computer108 be provisioned with access data, so that it can be provided to aservice provider application 1026-1 on the user device 102. Once theuser of the user device 102 is ready to send the request message, theuser may select a “Send,” “Select a digital wallet,” “+,” or any othersuitable option presented on a display of the user device 102. Anexample user device display during this step is shown in displays 502and 504 of FIG. 7A.

In some embodiments, after receiving the request message from the userdevice 102, the authorizing computer 104 may provide a list of availableservice providers or service provider applications that can beprovisioned with access data (e.g., a token) associated with credentialsheld by the authorizing computer 104. FIG. 7A display 504 portrays anexample list available to a user 101. In this embodiment, the user 101may select from a list of four different digital wallets. If the accessdata is a token, then each of the digital wallets may have a tokenrequestor identifier that is stored at the authorizing computer 104.Before or after selecting the service provider, the user 101 may alsoselect a credential to provision to the selected service provider orservice provider application. If the access data is a token, theauthorizing computer 104 may contact the processing computer 106 todetermine if a token already is present for the user of the user device102 with the selected service provider.

At step S112, the authorizing computer 104 may transmit a responsemessage, comprising a second passcode, to the user device 102. In someembodiments, the response message may include a text description,instructions, a time to live for the second passcode or other relevantinformation. The response message may be in the form of a text message,application notification, email, and/or the like. 506 in FIG. 7Aportrays an example passcode displayed on the user device 102. In thisembodiment, the passcode will also be sent to the user's email address.The passcode may be in any suitable form and may include any suitablenumber of types of characters (e.g., letters or numbers).

The second passcode may be generated or otherwise obtained by theauthorizing computer 104. A corresponding first passcode can begenerated and transmitted to the processing computer 106 and storedtherein. In other embodiments, the first code can be derived by theprocessing computer 106 using information from the authorizing computer104, or it may be derived from a shared secret with the authorizingcomputer 104.

At step S114, the authorizing computer 104 may generate and transmit anencrypted data packet comprising credentials and a first passcode formedby encrypting this data with a first key of a first key set to theservice provider computer 108. The first key of the first key set isused by the authorizing computer 104 to encrypt the data packet. In someembodiments, the authorizing computer 104 may share the first key setwith the processing computer 106, so that the processing computer 106can be decrypted using a key in the first key set. The authorizingcomputer 104 may also send the user's name, e-mail address or mobilephone number along with the encrypted data packet. This information canbe used by the service provider computer 108 to identify and communicatewith the user device 102.

In some embodiments, the service provider computer 108 may optionallyrequest a validation of the encrypted data packet from the processingcomputer 106. If valid, the processing computer 106 may transmit dataabout the user (e.g., the user's name, e-mail address, mobile phonenumber, etc.) to the service provider computer 108. If invalid, theprocessing computer 106 may terminate the connection and relay thetermination decision to the authorizing computer 104 and/or the userdevice 102.

In some embodiments, after receiving the encrypted data packet and/ordata about the user device 102 at the service provider computer 108, theservice provider computer 108 may provide information to the user viathe service provider application 102B-1 about either signing up for anew account or signing in to an existing account. The user of the userdevice 102 may complete the sign in or sign up using the serviceprovider application 102B-1 on the user device 102. 508 in FIG. 7B showsa way of signing in using a biometric scanner. In this case, the userverifies their identity with their fingerprint. The user may provideenrollment information to the service provider computer 108 via theservice provider application 102B-1 on the user device 102. The serviceprovider computer 108 may then prompt the user via the user device 102to submit the second passcode to the service provider computer 108through the service provider application 102B-1 to connect with theservice provider computer 108 or other recognized means of communicationas shown in 510.

In other embodiments, the service provider computer 108 may transmitterms and conditions to the user device 102. The user is given theoption to accept or reject the terms and conditions. The user device 102may then send the corresponding “Agree,” “Reject,” or other appropriateresponse message to the service provider computer 108. In someembodiments, the steps of accepting or rejecting the terms andconditions may occur at any point after step S114. 512 of FIG. 7B showsan example user device 101 displaying the “Terms of Service.”

At step S116, the user may use the user device 102 to transmit thesecond passcode to the service provider computer 108. The user device102 may access the service provider application 102B-1 to connect to theservice provider computer 102A in order to transmit the second passcode,as shown in 510 in FIG. 7B. In some embodiments, the transmission mayinclude data in addition to the second passcode, such as, a textdescription, instructions, or other relevant information.

In other embodiments, if the second passcode has expired, due to a giventime to live or other mechanism, then the service provider application102B-1 may generate an error message. The error message may containinformation useful to the user 101, pertaining to needing a newpasscode, connection issues, or other current and relevant issuespreventing completion of the provisioning process.

At step S118, the service provider computer 108 may transmit the secondpasscode and the encrypted data packet to the processing computer 106.The second passcode and the encrypted data packet may be transmitted inone transmission. In other embodiments, the service provider computer108 may first transmit the second passcode, and then transmit theencrypted data packet. In another embodiment, the service providercomputer 108 may first transmit the encrypted data packet, and then thesecond passcode to the processing computer 106. If the service providercomputer 108 receives either the second passcode or the encrypted datapacket before it receives the other, the service provider computer 108may store the received data in a secure memory storage, until itreceives the other.

In other embodiments, the service provider computer 108 may transmit theenrollment information provided by the user along with the encrypteddata packet and the second passcode to the processing computer 106.

At step S122, the processing computer 106 may decrypt the encrypted datapacket using the second key of the first key set in order to retrievethe credentials (e.g., a PAN) and the first passcode. The processingcomputer 106 may determine if the first passcode is the same as thesecond passcode. If the first passcode is the same as the secondpasscode, then the processing computer 106 may proceed to step 124. Ifthe first passcode is not the same as the second passcode, then theprocessing computer 106 may terminate the communication connection withthe service provider computer 108. The processing computer 106 may relaythe termination information with the authorizing computer 104.

In some embodiments, the processing computer 106 may adjust any relevantrisk indicators. For example, if the first passcode matches the secondpasscode the risk indicators will be set to low. The processing computer106 may then transmit the risk indicators to the authorizing computer104.

In step S124, the service provider computer 108 can receive anenrollment ID if the processing computer 106 determines that the firstand second passcodes match.

In step S126, upon receiving the enrollment ID, the service providercomputer 108 may transmit a confirmation to provision message to theprocessing computer 106.

Note that steps S124 and S126 are optional, and the process couldproceed directly to step S128 from step S122.

At step S128, the processing computer 106 may transmit the access datato the service provider computer 108. The transmission may also includea text description, instructions, or other relevant information. Theservice provider computer 108 may also store the access data.

At step S130, the access data may be provided to the service providerapplication 102B-1 in the user device 102.

As noted above, in some embodiments, the service provider computer 108may confirm the acquisition of the credentials in a confirmation messageby sending the confirmation message to the processing computer 106, theauthorizing computer 104, and/or the user device 102. 516 and 518 inFIG. 7C show example displays of the user 101 successfully adding theprior requested digital wallets. In this embodiment, the confirmationstates “Card is connected.” The confirmation message to the user device102 may include step-up options. The user may be required to choose averification method and then verify themselves. Once verified, theprocessing computer 106 may confirm access data (e.g., token) activationstatus.

The service provider computer 108 may then confirm the access dataactivation status to the user device 102. The user of the user device102 may also be redirected back to the authorizing entity application102B-2. In some embodiments, the processing computer 106 may push theprovision status and the access data status to the authorizing computer104.

In the message flows illustrated in FIG. 5, a session identifier may bepresent in each of the messages to identify the various messages asbeing part of a single provisioning transaction.

FIG. 6 shows a flow diagram depicting a method of securely provisioningcredentials to a service provider computer according to an embodiment.

At steps S208, S210, and S212, the process described with respect tosteps S108, S110, and S212 in FIG. 5 may be performed, and correspondingdescriptions are incorporated herein.

At step 214, the authorizing computer 104 may transmit a doubleencrypted data packet, formed by encrypting the credentials and thefirst password by a first key of a first key set to form a firstencrypted result, and then encrypting the first encrypted result with afirst passcode, to the service provider computer 108. In someembodiments, the double encrypted data packet may be encrypted anynumber of times.

At step S216, a process similar to that described in step S116 in FIG. 5may be performed, and corresponding descriptions are incorporatedherein.

At step S218, the service provider computer 108 may transmit the secondpasscode and the double encrypted data packet to the processing computer106.

At step S220, the processing computer 106 may decrypt the doubleencrypted data packet with the second passcode or a derivative thereof(e.g., a hash or other computed value) to obtain the first encryptedresult. In some embodiments, the processing computer 106 may decrypt thedouble encrypted data packet any number of times.

At step S222, the processing computer 106 decrypts the first encryptedresult with a second key of the first key set to obtain the credentials.

At steps S224, S226, S228, and S230 can include processes similar tothose described above with respect to steps S124, S126, S128, and S130above, and corresponding descriptions are incorporated herein. Note thatsteps S224 and S226 are optional, and the process could proceed directlyto step S228 from step S222.

FIG. 7A shows an example user device 102 display during certain pointsin the method illustrated in FIG. 5. 502 depicts an application on auser device 102 where the user 101 may select a new digital walletconnection for a chosen card. 504 depicts a display on the user device102 where the user 101 may select a digital wallet. 506 depicts the user101 receiving the second passcode on the user device 102.

FIG. 7B shows an example user device 102 display during certain pointsin the method illustrated in FIG. 5. 508 depicts an application on auser device 102 where the user 101 may sign in to an existing accountcorresponding to the prior selected digital wallet. 510 depicts adisplay on the user device 102 where the user 101 may enter the priorreceived second passcode and transmit it to the service providercomputer 108. 512 depicts a display on the user device 102 where theuser 101 receives the terms of service from the service providercomputer 108. The user 101 may be prompted to agree with the terms ofservice. 514 depicts a display on the user device 102 where the user 101may proceed to connect with the prior chosen digital wallet if thesecond passcode matches the first passcode, as determined by theprocessing computer 106. In some embodiments, the application willdisplay an error message informing the user 101 the entered secondpasscode is incorrect.

FIG. 7C shows an example user device 102 display during certain pointsin the method illustrated in FIG. 5. 516 depicts an application on auser device 102 where the user may be redirected to the authorizingentity application 102B-2. In some embodiments there may be aconfirmation message. 518 depicts a display on the user device 102 wherethe user may view the selected card that was connected to the selecteddigital wallet.

The process described above with respect to FIGS. 5 and 6 includes auser accessing an authorizing computer application 102B-2 to provision aservice provider application 102B-1 on the same user device 102 with atoken. Other embodiments are also possible. For example, in someembodiments, the service provider application 102B-1 may be on adifferent device than the user device 102. In such embodiments,cross-device provisioning can take place. In yet other embodiments, theservice provider application 102B-1 may be a Web application and may notreside on any specific user device, but may be hosted by a Web servercomputer. In yet other embodiments, the authorizing computer application102B-2 may be a Web application hosted by a Web server instead of beinga distinct application on a user device. In some cases, provisioning canoccur between Websites and the user device may use a generic browser andthe user device need not store or use specialized applications that needto be provisioned.

Once a token is provisioned to the service provider application 102B-1on the user device 102 (or elsewhere), the token can be used to access aresource such as a secure location, or goods or services.

FIG. 8 shows a block diagram of a building access system. FIG. 8 shows auser device 810 operated by a user 806. The user device 810 has beenprovisioned with access data (e.g., a token) as described above. Theuser device 810 can interact with the access device 820 and pass accessdata to the access device 820. The access device 820 may locally verifythe received access data or it may communicate with a remotely locatedauthentication server computer (not shown). The remotely locatedauthentication server computer may verify that the access data isauthentic and may transmit a signal indicating this back to the accessdevice 820. The access device 820 may then proceed to let the user 806enter the building 830.

FIG. 9 shows a block diagram of a transaction processing system that canuse a user device with access data (e.g., a token). FIG. 9 shows a user906 that can operate a user device 910. The user 906 may use the userdevice 910 to pay for a good or service at a resource provider such as amerchant. The merchant may operate a resource provider computer 930and/or an access device 920. The merchant may communicate with anauthorizing entity computer 960 operated by an issuer, via a transportcomputer 940 operated by an acquirer and a processing network 950 such apayment processing network.

The payment processing network may include data processing subsystems,networks, and operations used to support and deliver authorizationservices, exception file services, and clearing and settlement services.An exemplary payment processing network may include VisaNet™. Paymentprocessing networks such as VisaNet™ are able to process credit cardtransactions, debit card transactions, and other types of commercialtransactions. VisaNet™, in particular, includes a VIP system (VisaIntegrated Payments system) which processes authorization requests and aBase II system which performs clearing and settlement services. Thepayment processing network may use any suitable wired or wirelessnetwork, including the Internet.

A typical payment transaction flow using a user device 910 at an accessdevice 920 (e.g., POS location) can be described as follows. A user 906presents his or her user device 910 to an access device 920 to pay foran item or service. The user device 910 and the access device 920interact such that access data from the user device 910 (e.g., PAN, apayment token, verification value(s), expiration date, etc.) is receivedby the access device 920 (e.g., via contact or contactless interface).The resource provider computer 930 may then receive this informationfrom the access device 920 via an external communication interface. Theresource provider computer 930 may then generate an authorizationrequest message that includes the information received from the accessdevice 920 (i.e. information corresponding to the user device 910) alongwith additional transaction information (e.g., a transaction amount,merchant specific information, etc.) and electronically transmits thisinformation to a transport computer 940. The transport computer 940 maythen receive, process, and forward the authorization request message toa processing network 950 for authorization.

In general, prior to the occurrence of a credit or debit-cardtransaction, the processing network 950 has an established protocol witheach issuer on how the issuer's transactions are to be authorized. Insome cases, such as when the transaction amount is below a thresholdvalue, the processing network 950 may be configured to authorize thetransaction based on information that it has about the user's accountwithout generating and transmitting an authorization request message tothe authorizing entity computer 960. In other cases, such as when thetransaction amount is above a threshold value, the processing network950 may receive the authorization request message, determine the issuerassociated with the user device 910, and forward the authorizationrequest message for the transaction to the authorizing entity computer960 for verification and authorization. Once the transaction isauthorized, the authorizing entity computer 960 may generate anauthorization response message (that may include an authorization codeindicating the transaction is approved or declined) and transmit thiselectronic message via its external communication interface toprocessing network 950. The processing network 950 may then forward theauthorization response message to the transport computer 940, which inturn may then transmit the electronic message to comprising theauthorization indication to the resource provider computer 930, and thento the access device 920.

If the access data is in the form of a token, then the processingnetwork 950 may exchange the token for a real credential (e.g., a PAN).Any authorization request message may then be modified to include thereal credential and it may be forward to the authorizing entity computer960 for verification. The authorizing entity computer 960 can generatean authorization response message with an approval or decline. Theauthorization response message can be transmitted to the processingnetwork 950, and the processing network 950 may replace the credentialwith the token. The processing network 950 may then transmit theauthorization response message back to the access device 920.

At the end of the day or at some other suitable time interval, aclearing and settlement process between the resource computer 930, thetransport computer 940, the processing network 950, and the authorizingentity computer 960 may be performed on the transaction.

Embodiments of the invention provide for a number of advantages. Forexample, by requiring a user to enter a passcode into a service providerapplication to be provisioned with access data, the user confirms whichapplication is to be provisioned and the user's use of a particular userdevice can provide for a second factor of authentication beforeprovisioning occurs. Also, compared to the situation where the userdevice would need to separately communicate with each of the authorizingcomputer, the processing computer, and service provider computer,embodiments of the invention reduce the number of communications by notrequiring the user device to communicate directly with the processingcomputer. Lastly, as noted above, the methods according to embodimentscan be used to provision service provider applications, across differentdevices, as well as to Web applications hosted on Web services, therebymaking the methods according to embodiments very versatile.

It should be understood that any of the embodiments of the presentinvention can be implemented in the form of control logic using hardware(e.g. an application specific integrated circuit or field programmablegate array) and/or using computer software with a generally programmableprocessor in a modular or integrated manner. As used herein, a processorincludes a single-core processor, multi-core processor on a sameintegrated chip, or multiple processing units on a single circuit boardor networked. Based on the disclosure and teachings provided herein, aperson of ordinary skill in the art will know and appreciate other waysand/or methods to implement embodiments of the present invention usinghardware and a combination of hardware and software.

Any of the software components or functions described in thisapplication may be implemented as software code to be executed by aprocessor using any suitable computer language such as, for example,Java, C, C++, C#, Objective-C, Swift, or scripting language such as Perlor Python using, for example, conventional or object-orientedtechniques. The software code may be stored as a series of instructionsor commands on a computer readable medium for storage and/ortransmission, suitable media include random access memory (RAM), a readonly memory (ROM), a magnetic medium such as a hard-drive or a floppydisk, or an optical medium such as a compact disk (CD) or DVD (digitalversatile disk), flash memory, and the like. The computer readablemedium may be any combination of such storage or transmission devices.

Such programs may also be encoded and transmitted using carrier signalsadapted for transmission via wired, optical, and/or wireless networksconforming to a variety of protocols, including the Internet. As such, acomputer readable medium according to an embodiment of the presentinvention may be created using a data signal encoded with such programs.Computer readable media encoded with the program code may be packagedwith a compatible device or provided separately from other devices(e.g., via Internet download). Any such computer readable medium mayreside on or within a single computer product (e.g. a hard drive, a CD,or an entire computer system), and may be present on or within differentcomputer products within a system or network. A computer system mayinclude a monitor, printer, or other suitable display for providing anyof the results mentioned herein to a user.

The above description is illustrative and is not restrictive. Manyvariations of the invention will become apparent to those skilled in theart upon review of the disclosure. The scope of the invention should,therefore, be determined not with reference to the above description,but instead should be determined with reference to the pending claimsalong with their full scope or equivalents. For example, although thedescribed embodiments mention the use of electronic records in order toassess a risk level of an action, an electronic record can also be usedto access data or other services. For example, electronic records may beused to gain access to a location or service (e.g., a train ride orconcert). In this example, the electronic record may include atransaction record which indicates that a ticket has been associatedwith an account.

One or more features from any embodiment may be combined with one ormore features of any other embodiment without departing from the scopeof the invention.

As used herein, the use of “a,” “an,” or “the” is intended to mean “atleast one,” unless specifically indicated to the contrary.

1. A method comprising: receiving, by a service provider computer, anencrypted data packet comprising credentials and a first passcode;receiving, by the service provider computer, a second passcode from auser device; transmitting, by the service provider computer, the secondpasscode and the encrypted data packet to a processing computer, tocause the processing computer to decrypt the encrypted data packet toobtain the credentials and the first passcode, compare the firstpasscode to the second passcode, and provide access data to the serviceprovider computer when the first and second passcodes match; andreceiving, by the service provider computer from the processingcomputer, the access data associated with the credentials.
 2. The methodof claim 1, wherein the encrypted data packet is encrypted with a firstencryption key of a first key set, and wherein the encrypted data packetis decrypted with a second key of the first key set.
 3. The method ofclaim 1, wherein the encrypted data packet is a double encrypted datapacket.
 4. The method of claim 3, wherein the double encrypted datapacket is decrypted using the second passcode or a derivative of thesecond passcode.
 5. The method of claim 1, wherein the encrypted datapacket comprising the credentials and the first passcode are receivedfrom an authorizing computer.
 6. The method of claim 1, wherein accessdata comprises a token.
 7. The method of claim 1, wherein the encrypteddata packet is encrypted with a first encryption key of a first key set,wherein the encrypted data packet is decrypted with a second key of thefirst key set, and wherein the first key and the second key aresymmetric keys.
 8. A service provider computer comprising: a processor;and a computer readable medium, coupled to the processor, the computerreadable medium comprising code, executable by the processor toimplement a method comprising: receiving an encrypted data packetcomprising credentials and a first passcode; receiving a second passcodefrom a user device; transmitting, by the service provider computer, thesecond passcode and the encrypted data packet to a processing computer,to cause the processing computer to decrypt the encrypted data packet toobtain the credentials and the first passcode, compare the firstpasscode to the second passcode, and provide access data to the serviceprovider computer when the first and second passcodes match; andreceiving, by the service provider computer from the processingcomputer, the access data associated with the credentials.
 9. Theservice provider computer of claim 8, wherein the encrypted data packetis encrypted with a first encryption key of a first key set, and whereinthe encrypted data packet is decrypted with a second key of the firstkey set.
 10. The service provider computer of claim 8, wherein theencrypted data packet is a double encrypted data packet.
 11. The serviceprovider computer of claim 8, wherein the encrypted data packet is adouble encrypted data packet.
 12. The service provider computer of claim11, wherein the double encrypted data packet is decrypted using thesecond passcode or a derivative of the second passcode
 13. The serviceprovider computer of claim 8, wherein the encrypted data packetcomprising the credentials and the first passcode are received from anauthorizing computer.
 14. The service provider computer of claim 8,wherein the access data comprises a token.
 15. The service providercomputer of claim 8, wherein the encrypted data packet is encrypted witha first encryption key of a first key set, wherein the encrypted datapacket is decrypted with a second key of the first key set, and whereinthe first key and the second key are symmetric keys.
 16. A methodcomprising: receiving, by a processing computer, from a service providercomputer, an encrypted data packet comprising credentials and a firstpasscode in encrypted form, and a second passcode; decrypting, by theprocessing computer, the encrypted data packet to obtain the credentialsand the first passcode; comparing, by the processing computer, the firstpasscode to the second passcode; determining, by the processing computerthat the first passcode and the second passcode match; and transmitting,by the processing computer, access data associated with the credentialsto the service provider computer.
 17. The method of claim 16, whereinthe service provider computer is a Web server computer that operates aWebsite.
 18. The method of claim 16, wherein the encrypted data packetis double encrypted data packet.
 19. The method of claim 18, whereindecrypting the double encrypted data packet comprises decrypting thedouble encrypted data packet with the second passcode to form a singleencrypted data packet, and then decrypting the single encrypted datapacket with a cryptographic key at the processing computer.
 20. Themethod of claim 18, wherein the access data comprises a token. 21.(canceled)